Posts Tagged security

Poking holes in PHP object privacy

Get it? Holes? Cheese?PHP provides a decent model of class member visibility, with public, private, and protected members to help you define tight APIs for your objects and show other developers how your object is supposed to be used. But used naively, PHP’s ‘magic methods’ can easily and subtly subvert this system, making everything public.

If you’re still new to object oriented programming in PHP5, think of “public” as roughly analogous to “my function’s arguments” and “private” as “local variables inside the function”. You wouldn’t want someone calling your function and messing with the local vars, and you wouldn’t want someone using your object messing with its private members.

Magic methods provide functionality like catching references to methods and properties which are not visible to us, and doing special things with them. Magic methods have always struck me as a bit weird, and whenever you bring them up in discussions online, there’s always a few people with reservations about them – efficiency, clarity, use-cases and so on.

I’m still in two minds; they can be useful in some circumstances, but here’s one reason why they could be considered harmful: Used carelessly, they can easily enable an OOP antipattern where all class members become public, even those declared as private or protected in the class definition. Read the rest of this entry »

, , , , , , , , , ,


WordPress Security Flaw – Admin Password Reset

It is possible to reset the admin password in all versions of wordpress up to and including the most recent version 2.8.3.

This information comes from a milw0rm exploit.
Read the rest of this entry »

, , , , ,



I don’t have time right now to give a lot of detail about computer security as a whole. But here’s what I’d say if you asked me how best to learn about network security and hacking: Read the rest of this entry »

, , , , ,


Breaking CAPTCHA without OCR

Breaking CAPTCHAs Without Using OCR
For my own PHP CAPTCHA implementation, click here.

This article details a method I have discovered to bypass CAPTCHA security, without having to use Optical Character Recognition software. It depends on an implementation problem that was quite common among CAPTCHA scripts when I originally published this in May 2005.
Read the rest of this entry »

, , , , , ,


free PHP CAPTCHA v1.4.1

freecap PHP Captcha

freeCap is a GPL CAPTCHA script to stop spam. It was written as a proof-of-concept at a time when there were really no other good PHP captcha scripts around (2005). For a long time I think it’s not untrue to say freeCap was the best PHP CAPTCHA there was.

To be perfectly honest, these days I would recommend you try reCAPTCHA first. freeCap does still do the job perfectly well, but the reCAPTCHA guys can provide better support than I.

Still, freeCap might be the solution for you if you want to be able to have more control over how the CAPTCHA works and is displayed. There are a whole load of tweakable options: multiple GD fonts, colours, backgrounds, obfuscation options etc. And the code is pretty good too if you’re just interested in PHP image processing. Still interested? Read on!

Read the rest of this entry »

, , , , ,


Steganography in PHP (!)

What? Am I insane? Officially, yes, but that’s not important. This is a PHP script that can hide files in images. It takes a JPG and converts to PNG. It requires GDlib and is almost totally pointless. Read the rest of this entry »

, , , , ,


Simple PHP Password Protection

A simple PHP script that offers easy to install, secure website password protection for any kind of server. Offers quite a few optional features, like logging incorrect login attempts, brute force protection etc, but still remains very simple to implement.
Read the rest of this entry »

, , , , , ,


How To Hack – Beginners Guide to Hacking Computers

“ The Only True Guide to Learning How to Hack ”

originally by R4di4tion (his email, but it’s no longer in use), with a few updates by myself.

You stay up all night on the PC typing and typing. No, you’re not hacking. You’re begging someone on IRC to teach you how to hack! Let’s look at the facts:

  1. You’re a luser and you’re annoying. No one likes you if you ask others how to hack without taking the least amount of initiative.
  2. You’re not worthy of any title even resembling hacker, cracker, phreaker, etc., so don’t go around calling yourself that! The more you do, the less likely you are to find someone willing to teach you how to hack (which is an infinitesimal chance, any way).
  3. You’re wasting your time (if you couldn’t infer that in the first place). Many real hackers (not those shitty script kiddies) spend all their insomniac hours reading and, yes even, HACKING! (Hacking doesn’t necessarily (but usually does) mean breaking into another system. It could mean just working on your own system, BUT NOT WINDOWS ’9x (unless you’re doing some really menacing registry shit, in which case, you’re kind of cool).)

Read the rest of this entry »

, , , , , , , ,